Please help with removal

freeclint · August 6, 2011

Here is my DDS, attached is the mbam log, attach and ARK files as requested. Thank you in advance for any help.attach.zip

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Freeman at 19:58:52 on 2011-08-05

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1350 [GMT -4:00]

.

AV: Norton Internet Security 2006 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Worm Protection *Disabled*

FW: Norton Internet Security 2006 *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

svchost.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Documents and Settings\Freeman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\system32\nvsvc32.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\dllhost.exe

C:\Documents and Settings\Freeman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Freeman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll

TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uRun: [Google Update] "c:\documents and settings\freeman\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [nwiz] nwiz.exe /installquiet /nodetect

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1 205.152.37.23 192.168.1.1

TCP: Interfaces\{DADD97DB-541E-4D09-8ACB-CB46B2B3A490} : DhcpNameServer = 192.168.0.1 205.152.37.23 192.168.1.1

.

============= SERVICES / DRIVERS ===============

.

R? SAVScan;Symantec AVScan

S? 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam

S? ccEvtMgr;Symantec Event Manager

S? ccProxy;Symantec Network Proxy

S? ccSetMgr;Symantec Settings Manager

S? MBAMProtector;MBAMProtector

S? MBAMService;MBAMService

S? McrdSvc;Media Center Extender Service

S? navapsvc;Norton AntiVirus Auto-Protect Service

S? NAVENG;NAVENG

S? NAVEX15;NAVEX15

S? SAVRT;SAVRT

S? SAVRTPEL;SAVRTPEL

S? Symantec Core LC;Symantec Core LC

.

=============== Created Last 30 ================

.

2011-08-03 14:44:33 -------- d-----w- c:\windows\system32\appmgmt

2011-08-03 13:57:01 -------- d-sh--w- c:\documents and settings\freeman\PrivacIE

2011-08-03 13:56:34 -------- d-----w- c:\documents and settings\freeman\local settings\application data\PCHealth

2011-08-03 13:51:19 -------- d-sh--w- c:\documents and settings\freeman\IETldCache

2011-08-03 13:49:03 -------- d-----w- c:\documents and settings\freeman\application data\Malwarebytes

2011-08-03 13:48:57 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-03 13:40:58 -------- d-----w- c:\program files\OpenOffice.org 3

2011-08-03 13:38:40 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2011-08-03 13:38:39 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2011-08-03 13:38:39 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll

2011-08-03 13:38:39 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-08-03 13:38:39 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2011-08-03 13:38:39 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2011-08-03 13:38:39 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll

2011-08-03 13:37:36 -------- d-sh--w- c:\documents and settings\freeman\Temporary Internet Files

2011-08-03 13:37:36 -------- d-sh--w- c:\documents and settings\freeman\History

2011-08-03 13:33:31 294912 ------w- c:\windows\system32\dllcache\msctf.dll

2011-08-03 13:32:14 -------- d-----w- c:\windows\system32\SoftwareDistribution

2011-08-03 13:19:08 6144 ----a-w- c:\windows\system32\ftlx041e.dll

2011-08-03 13:19:08 5632 ----a-w- c:\windows\system32\kbdusa.dll

2011-08-03 13:19:08 185344 ----a-w- c:\windows\system32\Thawbrkr.dll

2011-08-03 13:19:08 10752 ----a-w- c:\windows\system32\c_iscii.dll

2011-08-03 13:18:44 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-08-03 13:18:42 20992 ----a-w- c:\windows\system32\dshowext.ax

2011-08-03 13:18:37 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys

2011-08-03 13:11:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-03 12:58:40 -------- d-----w- c:\documents and settings\freeman\local settings\application data\Google

2011-08-03 12:49:32 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-08-03 12:48:29 352640 ------w- c:\windows\system32\dllcache\srv.sys

2011-08-03 12:48:19 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2011-08-03 12:48:13 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe

2011-08-03 12:46:38 272128 ------w- c:\windows\system32\drivers\bthport.sys

2011-08-03 12:46:38 272128 ------w- c:\windows\system32\dllcache\bthport.sys

2011-08-03 12:46:14 82432 ------w- c:\windows\system32\dllcache\fontsub.dll

2011-08-03 12:46:05 58880 ------w- c:\windows\system32\dllcache\atl.dll

2011-08-03 12:46:04 8454656 ------w- c:\windows\system32\dllcache\shell32.dll

2011-08-03 12:44:44 -------- d-----w- c:\windows\system32\PreInstall

2011-08-03 12:44:24 -------- d-sh--w- c:\documents and settings\freeman\UserData

2011-08-03 12:43:21 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

2011-08-03 12:43:05 202752 ------w- c:\windows\system32\dllcache\rmcast.sys

2011-08-03 12:43:00 655872 ------w- c:\windows\system32\dllcache\mstscax.dll

2011-08-03 12:42:49 85504 ------w- c:\windows\system32\dllcache\cabview.dll

2011-08-03 01:00:14 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b16e9ccf-3a7e-4dce-bddf-8738c7eda528}\mpengine.dll

2011-07-25 01:58:44 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-07-25 01:58:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-20 00:42:06 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-07-17 11:49:45 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-07-17 11:49:45 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

.

==================== Find3M ====================

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

.

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys

c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver

1 ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Harddisk0\DR0[0x89E04AB8]

3 CLASSPNP[0xF74E805B] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\0000008f[0x89DC6A28]

5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Ide\IAAStorageDevice-0[0x898D1030]

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }

user != kernel MBR !!!

.

============= FINISH: 20:02:13.68 ===============

LDTate · August 8, 2011

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
It doesn't take long to run, once it is finished move onto the next step

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

freeclint · August 9, 2011

Ok, completed GooredFix and tdsskiller.

My PC still won't finish installing windows updates (with service pack 3, which will let me get MS Security Esentials).

Here is the TDSKiller log

2011/08/09 09:09:32.0796 0608 TDSS rootkit removing tool 2.5.14.0 Aug 5 2011 16:09:29

2011/08/09 09:09:32.0828 0608 ================================================================================

2011/08/09 09:09:32.0828 0608 SystemInfo:

2011/08/09 09:09:32.0828 0608

2011/08/09 09:09:32.0828 0608 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/09 09:09:32.0828 0608 Product type: Workstation

2011/08/09 09:09:32.0828 0608 ComputerName: CLINT_HP

2011/08/09 09:09:32.0828 0608 UserName: Freeman

2011/08/09 09:09:32.0828 0608 Windows directory: C:\WINDOWS

2011/08/09 09:09:32.0828 0608 System windows directory: C:\WINDOWS

2011/08/09 09:09:32.0828 0608 Processor architecture: Intel x86

2011/08/09 09:09:32.0828 0608 Number of processors: 2

2011/08/09 09:09:32.0828 0608 Page size: 0x1000

2011/08/09 09:09:32.0828 0608 Boot type: Normal boot

2011/08/09 09:09:32.0828 0608 ================================================================================

2011/08/09 09:09:33.0484 0608 Initialize success

2011/08/09 09:09:36.0500 1232 ================================================================================

2011/08/09 09:09:36.0500 1232 Scan started

2011/08/09 09:09:36.0500 1232 Mode: Manual;

2011/08/09 09:09:36.0500 1232 ================================================================================

2011/08/09 09:09:36.0875 1232 5U870CAP_VID_1262&PID_25FD (d2142fee659d97b2b05820f21594bfe2) C:\WINDOWS\system32\Drivers\5U870CAP.sys

2011/08/09 09:09:37.0093 1232 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2011/08/09 09:09:37.0156 1232 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/08/09 09:09:37.0187 1232 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/08/09 09:09:37.0234 1232 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2011/08/09 09:09:37.0281 1232 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/08/09 09:09:37.0359 1232 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/08/09 09:09:37.0390 1232 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/08/09 09:09:37.0453 1232 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2011/08/09 09:09:37.0500 1232 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2011/08/09 09:09:37.0546 1232 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2011/08/09 09:09:37.0578 1232 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2011/08/09 09:09:37.0625 1232 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2011/08/09 09:09:37.0671 1232 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2011/08/09 09:09:37.0703 1232 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2011/08/09 09:09:37.0750 1232 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2011/08/09 09:09:37.0781 1232 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/08/09 09:09:37.0843 1232 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2011/08/09 09:09:37.0890 1232 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2011/08/09 09:09:37.0937 1232 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2011/08/09 09:09:38.0031 1232 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/08/09 09:09:38.0078 1232 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/08/09 09:09:38.0140 1232 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/08/09 09:09:38.0187 1232 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/08/09 09:09:38.0218 1232 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/08/09 09:09:38.0250 1232 BTWUSB (4272bab9291d26da5ac913bc79c3ce85) C:\WINDOWS\system32\Drivers\btwusb.sys

2011/08/09 09:09:38.0296 1232 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2011/08/09 09:09:38.0328 1232 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/08/09 09:09:38.0390 1232 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/08/09 09:09:38.0437 1232 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2011/08/09 09:09:38.0500 1232 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/08/09 09:09:38.0546 1232 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/08/09 09:09:38.0578 1232 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/08/09 09:09:38.0640 1232 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/08/09 09:09:38.0687 1232 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2011/08/09 09:09:38.0718 1232 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/08/09 09:09:38.0796 1232 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2011/08/09 09:09:38.0843 1232 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2011/08/09 09:09:38.0890 1232 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2011/08/09 09:09:38.0953 1232 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/08/09 09:09:39.0031 1232 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/08/09 09:09:39.0125 1232 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/08/09 09:09:39.0171 1232 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/08/09 09:09:39.0203 1232 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/08/09 09:09:39.0281 1232 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2011/08/09 09:09:39.0328 1232 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/08/09 09:09:39.0375 1232 e1express (f239ec59b4a30266a4a7b081a5dee0fc) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2011/08/09 09:09:39.0421 1232 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys

2011/08/09 09:09:39.0453 1232 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys

2011/08/09 09:09:39.0562 1232 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/08/09 09:09:39.0625 1232 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2011/08/09 09:09:39.0796 1232 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/08/09 09:09:39.0843 1232 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/08/09 09:09:39.0890 1232 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/08/09 09:09:39.0937 1232 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/08/09 09:09:39.0984 1232 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/08/09 09:09:40.0031 1232 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/08/09 09:09:40.0078 1232 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/08/09 09:09:40.0125 1232 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/08/09 09:09:40.0140 1232 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys

2011/08/09 09:09:40.0203 1232 HdAudAddService (2a6e9a118da2dd0439551a7eb3a8f65e) C:\WINDOWS\system32\drivers\CHDAud.sys

2011/08/09 09:09:40.0265 1232 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/08/09 09:09:40.0312 1232 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/08/09 09:09:40.0359 1232 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2011/08/09 09:09:40.0421 1232 HSFHWAZL (448c0fd272fe1b80046f4767db21eb8d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2011/08/09 09:09:40.0515 1232 HSF_DPV (2715a27de9c17bdbaf6d6c79989a7b12) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2011/08/09 09:09:40.0687 1232 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/08/09 09:09:40.0734 1232 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2011/08/09 09:09:40.0781 1232 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2011/08/09 09:09:40.0812 1232 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/08/09 09:09:40.0890 1232 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2011/08/09 09:09:40.0953 1232 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/08/09 09:09:41.0015 1232 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2011/08/09 09:09:41.0062 1232 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/08/09 09:09:41.0109 1232 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/08/09 09:09:41.0140 1232 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/08/09 09:09:41.0187 1232 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/08/09 09:09:41.0218 1232 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/08/09 09:09:41.0250 1232 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/08/09 09:09:41.0296 1232 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/08/09 09:09:41.0328 1232 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/08/09 09:09:41.0375 1232 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/08/09 09:09:41.0421 1232 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/08/09 09:09:41.0453 1232 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/08/09 09:09:41.0500 1232 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/08/09 09:09:41.0562 1232 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/08/09 09:09:41.0656 1232 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys

2011/08/09 09:09:41.0703 1232 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/08/09 09:09:41.0734 1232 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2011/08/09 09:09:41.0781 1232 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/08/09 09:09:41.0828 1232 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/08/09 09:09:41.0875 1232 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/08/09 09:09:41.0921 1232 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/08/09 09:09:41.0953 1232 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/08/09 09:09:42.0000 1232 MQAC (eee50bf24caeedb515a8f3b22756d3bb) C:\WINDOWS\system32\drivers\mqac.sys

2011/08/09 09:09:42.0062 1232 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2011/08/09 09:09:42.0125 1232 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/08/09 09:09:42.0171 1232 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/08/09 09:09:42.0203 1232 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/08/09 09:09:42.0250 1232 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/08/09 09:09:42.0281 1232 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/08/09 09:09:42.0312 1232 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/08/09 09:09:42.0359 1232 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/08/09 09:09:42.0375 1232 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/08/09 09:09:42.0421 1232 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/08/09 09:09:42.0453 1232 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/08/09 09:09:42.0625 1232 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110803.001\NAVENG.Sys

2011/08/09 09:09:42.0703 1232 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110803.001\NavEx15.Sys

2011/08/09 09:09:42.0859 1232 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/08/09 09:09:42.0906 1232 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/08/09 09:09:42.0937 1232 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/08/09 09:09:42.0984 1232 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/08/09 09:09:43.0015 1232 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/08/09 09:09:43.0062 1232 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/08/09 09:09:43.0093 1232 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/08/09 09:09:43.0125 1232 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/08/09 09:09:43.0187 1232 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/08/09 09:09:43.0234 1232 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/08/09 09:09:43.0296 1232 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/08/09 09:09:43.0359 1232 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/08/09 09:09:43.0546 1232 nv (59e5d945934ec2e7eaa22af81813dabf) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/08/09 09:09:43.0750 1232 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/08/09 09:09:43.0796 1232 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/08/09 09:09:43.0859 1232 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/08/09 09:09:43.0906 1232 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/08/09 09:09:43.0953 1232 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/08/09 09:09:43.0984 1232 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/08/09 09:09:44.0015 1232 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/08/09 09:09:44.0078 1232 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/08/09 09:09:44.0109 1232 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/08/09 09:09:44.0234 1232 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2011/08/09 09:09:44.0281 1232 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2011/08/09 09:09:44.0375 1232 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/08/09 09:09:44.0421 1232 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/08/09 09:09:44.0453 1232 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/08/09 09:09:44.0500 1232 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/08/09 09:09:44.0531 1232 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2011/08/09 09:09:44.0562 1232 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2011/08/09 09:09:44.0593 1232 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2011/08/09 09:09:44.0625 1232 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2011/08/09 09:09:44.0671 1232 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2011/08/09 09:09:44.0703 1232 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/08/09 09:09:44.0765 1232 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/08/09 09:09:44.0796 1232 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/08/09 09:09:44.0843 1232 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/08/09 09:09:44.0875 1232 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/08/09 09:09:44.0890 1232 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/08/09 09:09:44.0953 1232 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/08/09 09:09:45.0015 1232 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/08/09 09:09:45.0046 1232 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/08/09 09:09:45.0109 1232 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

2011/08/09 09:09:45.0140 1232 rimsptsk (d0a35b7670aa3558eaab483f64446496) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

2011/08/09 09:09:45.0187 1232 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys

2011/08/09 09:09:45.0234 1232 RMCAST (ecff394d65671efde5a872eb9ef4f2d5) C:\WINDOWS\system32\drivers\RMCast.sys

2011/08/09 09:09:45.0296 1232 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/08/09 09:09:45.0453 1232 SAVRT (21ba125b956a513f85f6ab1dd603f917) c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS

2011/08/09 09:09:45.0468 1232 SAVRTPEL (0f8e1c05fc1298f8e7cea935429f66ff) c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS

2011/08/09 09:09:45.0656 1232 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2011/08/09 09:09:45.0718 1232 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/08/09 09:09:45.0796 1232 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/08/09 09:09:45.0843 1232 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/08/09 09:09:45.0968 1232 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2011/08/09 09:09:46.0031 1232 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/08/09 09:09:46.0109 1232 SNP2UVC (fac7b89330e20713950925050c91cd04) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys

2011/08/09 09:09:46.0171 1232 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2011/08/09 09:09:46.0281 1232 SPBBCDrv (16aa4657806e3ea423d7e9286e763016) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2011/08/09 09:09:46.0421 1232 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/08/09 09:09:46.0468 1232 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/08/09 09:09:46.0531 1232 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/08/09 09:09:46.0578 1232 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/08/09 09:09:46.0609 1232 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/08/09 09:09:46.0656 1232 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/08/09 09:09:46.0718 1232 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2011/08/09 09:09:46.0750 1232 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2011/08/09 09:09:46.0796 1232 SYMDNS (61a932f6e04c1d125659ec5f9a158cc1) C:\WINDOWS\System32\Drivers\SYMDNS.SYS

2011/08/09 09:09:46.0890 1232 SymEvent (6db4cfcabd55c05649104f2384f2a10f) C:\Program Files\Symantec\SYMEVENT.SYS

2011/08/09 09:09:46.0921 1232 SYMFW (033a6a91aa4162540c1e39a0d5c563c8) C:\WINDOWS\System32\Drivers\SYMFW.SYS

2011/08/09 09:09:46.0968 1232 SYMIDS (071f8c6c95d8b632e73dcdbf865d8e46) C:\WINDOWS\System32\Drivers\SYMIDS.SYS

2011/08/09 09:09:47.0093 1232 SYMIDSCO (76dcba76caa80365e6d5792afaa2adb5) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050901.036\symidsco.sys

2011/08/09 09:09:47.0250 1232 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys

2011/08/09 09:09:47.0296 1232 SYMNDIS (a6bbadd2472ffc5b6ce3198e13ee0e74) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS

2011/08/09 09:09:47.0328 1232 SYMREDRV (df5514802a2e0a478e29be2e33360807) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2011/08/09 09:09:47.0375 1232 SYMTDI (9da226bc68389fbd6ec0e01286e7639c) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2011/08/09 09:09:47.0437 1232 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2011/08/09 09:09:47.0484 1232 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2011/08/09 09:09:47.0531 1232 SynTP (369d0626687a968182a9db40fe8a0905) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/08/09 09:09:47.0578 1232 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/08/09 09:09:47.0640 1232 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/08/09 09:09:47.0671 1232 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/08/09 09:09:47.0718 1232 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/08/09 09:09:47.0750 1232 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/08/09 09:09:47.0796 1232 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2011/08/09 09:09:47.0859 1232 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/08/09 09:09:47.0921 1232 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2011/08/09 09:09:48.0000 1232 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/08/09 09:09:48.0046 1232 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/08/09 09:09:48.0078 1232 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/08/09 09:09:48.0125 1232 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/08/09 09:09:48.0156 1232 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/08/09 09:09:48.0203 1232 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2011/08/09 09:09:48.0265 1232 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/08/09 09:09:48.0281 1232 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/08/09 09:09:48.0375 1232 w39n51 (c79918a5bd269035f3a34d157401b9df) C:\WINDOWS\system32\DRIVERS\w39n51.sys

2011/08/09 09:09:48.0546 1232 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/08/09 09:09:48.0593 1232 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/08/09 09:09:48.0687 1232 winachsf (7fe372b1ab60736cc67e8eb6f1fb1f5b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/08/09 09:09:48.0781 1232 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/08/09 09:09:48.0843 1232 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/08/09 09:09:48.0937 1232 MBR (0x1B8) (665277635dc8ba83deae12eadedb75a0) \Device\Harddisk0\DR0

2011/08/09 09:09:48.0937 1232 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1

2011/08/09 09:09:48.0953 1232 Boot (0x1200) (1669db8c38d935f8d47e105e18279380) \Device\Harddisk0\DR0\Partition0

2011/08/09 09:09:49.0000 1232 Boot (0x1200) (295132fdcdf50d284546e663f40fa5de) \Device\Harddisk0\DR0\Partition1

2011/08/09 09:09:49.0015 1232 Boot (0x1200) (e8cc5be0cf9d3dd0a25567ff7ceb9db7) \Device\Harddisk1\DR1\Partition0

2011/08/09 09:09:49.0015 1232 ================================================================================

2011/08/09 09:09:49.0015 1232 Scan finished

2011/08/09 09:09:49.0015 1232 ================================================================================

2011/08/09 09:09:49.0031 1664 Detected object count: 0

2011/08/09 09:09:49.0031 1664 Actual detected object count: 0

Here is the GooredFix log

GooredFix by jpshortstuff (03.07.10.1)

Log created at 15:05 on 08/08/2011 (Freeman)

Firefox version [unable to determine]

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:16 11/05/2011]

{AB2CE124-6272-4b12-94A9-7303C7397BD1} [00:44 21/01/2011]

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [22:14 12/01/2009]

{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [00:42 20/07/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

(Key not found)

-=E.O.F=-

Thank you again, for any help.

LDTate · August 9, 2011

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have XP SP3, use the XP SP2 package.
If Vista or Windows 7, skip the Recovery Console part
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

freeclint · August 9, 2011

Ok, the ComboFix step is complete. I haven't noticed any differences yet, but I haven't rebooted either.

Here is the log:

ComboFix 11-08-09.02 - Freeman 08/09/2011 13:31:37.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1287 [GMT -4:00]

Running from: c:\documents and settings\Freeman\Desktop\ComboFix.exe

AV: Norton Internet Security 2006 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security 2006 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\Cache

E:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))

.

2011-08-09 16:44 . 2008-04-13 18:45 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys

2011-08-09 15:38 . 2011-08-09 15:38 -------- d-----w- c:\windows\IIS Temporary Compressed Files

2011-08-09 15:36 . 2011-08-09 15:38 -------- d-----w- C:\Inetpub

2011-08-09 15:36 . 2011-08-09 15:36 -------- d-----w- c:\windows\system32\Logfiles

2011-08-09 15:27 . 2006-10-14 20:43 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-08-09 15:27 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll

2011-08-09 13:25 . 2011-02-08 13:33 978944 ------w- c:\windows\system32\dllcache\mfc42.dll

2011-08-09 13:25 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll

2011-08-09 13:25 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2011-08-09 13:25 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2011-08-09 13:24 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2011-08-09 13:24 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-08-09 13:23 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe

2011-08-08 20:07 . 2011-08-08 20:07 -------- d-----w- c:\windows\system32\scripting

2011-08-08 20:07 . 2011-08-08 20:07 -------- d-----w- c:\windows\system32\en

2011-08-08 20:07 . 2011-08-08 20:07 -------- d-----w- c:\windows\system32\bits

2011-08-03 20:42 . 2011-08-03 20:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-08-03 13:48 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-03 13:40 . 2011-08-03 13:41 -------- d-----w- c:\program files\OpenOffice.org 3

2011-08-03 13:38 . 2011-04-25 16:11 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2011-08-03 13:38 . 2011-04-26 14:11 11081728 ------w- c:\windows\system32\dllcache\ieframe.dll

2011-08-03 13:38 . 2011-04-25 16:11 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll

2011-08-03 13:38 . 2011-04-25 16:11 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-08-03 13:38 . 2011-04-25 16:11 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2011-08-03 13:38 . 2011-04-25 16:11 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2011-08-03 13:38 . 2011-04-25 16:11 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll

2011-08-03 13:35 . 2011-08-04 14:02 -------- d-----w- c:\documents and settings\Freeman

2011-08-03 13:19 . 2006-03-15 20:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll

2011-08-03 13:19 . 2006-03-15 20:00 5632 ----a-w- c:\windows\system32\kbdusa.dll

2011-08-03 13:19 . 2006-03-15 20:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll

2011-08-03 13:19 . 2006-03-15 20:00 10752 ----a-w- c:\windows\system32\c_iscii.dll

2011-08-03 13:18 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-08-03 13:18 . 2008-04-14 00:12 20992 ----a-w- c:\windows\system32\dshowext.ax

2011-08-03 13:18 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2011-08-03 13:11 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-03 12:57 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll

2011-08-03 12:57 . 2008-04-14 00:12 276992 ------w- c:\windows\system32\wmphoto.dll

2011-08-03 12:57 . 2008-04-14 00:12 712704 ------w- c:\windows\system32\windowscodecs.dll

2011-08-03 12:57 . 2008-04-14 00:12 346112 ------w- c:\windows\system32\windowscodecsext.dll

2011-08-03 12:57 . 2008-04-13 18:43 14208 ------w- c:\windows\system32\drivers\wacompen.sys

2011-08-03 12:57 . 2004-08-04 02:29 25471 ------w- c:\windows\system32\drivers\watv10nt.sys

2011-08-03 12:57 . 2004-08-04 02:29 22271 ------w- c:\windows\system32\drivers\watv06nt.sys

2011-08-03 12:57 . 2004-08-04 02:29 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys

2011-08-03 12:57 . 2004-08-04 02:29 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys

2011-08-03 12:57 . 2004-08-04 02:29 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys

2011-08-03 12:57 . 2004-08-04 02:29 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys

2011-08-03 12:55 . 2008-04-14 00:11 37376 ------w- c:\windows\system32\l2gpstore.dll

2011-08-03 12:48 . 2009-11-27 16:07 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll

2011-08-03 12:48 . 2011-02-17 13:18 357888 ------w- c:\windows\system32\dllcache\srv.sys

2011-08-03 12:48 . 2011-02-17 13:18 455936 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2011-08-03 12:48 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2011-08-03 12:46 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys

2011-08-03 12:46 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

2011-08-03 12:46 . 2010-08-27 08:02 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

2011-08-03 12:46 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll

2011-08-03 12:46 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

2011-08-03 12:46 . 2011-01-21 14:44 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2011-08-03 12:43 . 2011-02-16 13:22 138496 ------w- c:\windows\system32\dllcache\afd.sys

2011-08-03 12:43 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2011-08-03 12:43 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys

2011-08-03 12:43 . 2009-06-10 13:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll

2011-08-03 12:42 . 2010-01-13 14:01 86016 ------w- c:\windows\system32\dllcache\cabview.dll

2011-08-03 01:00 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B16E9CCF-3A7E-4DCE-BDDF-8738C7EDA528}\mpengine.dll

2011-07-25 01:58 . 2011-07-25 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-07-25 01:58 . 2011-08-03 13:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-20 00:42 . 2011-07-20 00:41 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-07-17 11:49 . 2011-07-17 11:49 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-07-17 11:49 . 2011-07-17 11:49 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

2011-07-11 23:55 . 2011-07-11 23:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-13 03:39 . 2011-05-08 12:46 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-06-02 14:02 . 2006-03-16 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-07-17 11:49 . 2011-05-11 23:16 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2009-04-01 02:47 . 2009-02-19 18:04 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]

"nwiz"="nwiz.exe" [2006-07-20 1519616]

"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

Linksys EasyLink Advisor.lnk - c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe [2008-3-28 110592]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-11-8 438272]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-4-5 1149440]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/24/2011 9:58 PM 366640]

R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 4:39 PM 61952]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [8/3/2011 4:23 PM 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/3/2011 9:11 AM 22712]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2612672536-3481276927-3987471508-1005Core.job

- c:\documents and settings\Freeman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-03 12:58]

.

2011-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2612672536-3481276927-3987471508-1005UA.job

- c:\documents and settings\Freeman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-03 12:58]

.

2011-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-864459783-1969530140-2722950199-1005Core.job

- c:\documents and settings\Clint\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-22 00:08]

.

2011-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-864459783-1969530140-2722950199-1005UA.job

- c:\documents and settings\Clint\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-22 00:08]

.

2011-07-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]

.

2011-08-06 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Freeman.job

- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 16:13]

.

2011-08-09 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-09-17 21:21]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.97 192.168.0.99

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-09 13:38

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????[??????`?@?????L?@

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

.

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

kernel: MBR read successfully

user != kernel MBR !!!

.

**************************************************************************

.

Completion time: 2011-08-09 13:41:03

ComboFix-quarantined-files.txt 2011-08-09 17:41

.

Pre-Run: 977,244,160 bytes free

Post-Run: 1,690,517,504 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - A29D4831A7BD7AAEFC2CE05E19108E1B

Thanks again for all of your help.

LDTate · August 9, 2011

Are the windows updates erroring on Office updates?

freeclint · August 9, 2011

No the error hasn't been on Office to my knowledge.

I've just tried to install (Windows Update) 11 high priority updates (none include Office), it actually installed this time.

However, installing .NET framework 3.0 failed.

Prior to this process I had removed the .NET (1.6 I think) to try and get 3.0 to install, which did not work either.

MSSE did install, which might mean I'm good to go... (it is scanning now)

what do you think?

LDTate · August 9, 2011

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

Click START run
Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

Click START Search
Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
5. Change the Download signed ActiveX controls to Prompt
6. Change the Download unsigned ActiveX controls to Disable
7. Change the Initialize and script ActiveX controls not marked as safe to Disable
8. Change the Installation of desktop items to Prompt
9. Change the Launching programs and files in an IFRAME to Prompt
10. Change the Navigate sub-frames across different domains to Prompt
11. When all these settings have been made, click on the OK button.
12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
13. Next press the Apply button and then the OK to exit the Internet Properties page.
[*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
[*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.
[*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
•Free browser plug-in for Internet Explorer and Firefox
•Real-time safety ratings
•Ideal for Facebook, Twitter and LinkedIn
[*] JAVA Click this link and click on the Free JAVA Download
[*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

Dynamically Blocks Malware Sites & Servers
Malware Execution Prevention

Save yourself the hassle and get protected.

freeclint · August 10, 2011

Thank you so much for all of your help, sir! You rock.

If you play rpg's and like play by post, you have a spot at my Star Wars play by post over on myth-weavers.com

Thanks again!

Clint

freeclint@yahoo.com

LDTate · August 10, 2011

Thanks for the offer.

If only I had the free time.....

You're more than welcome.

Glad we were able to help

Peace be with you

LDTate · August 10, 2011

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Please help with removal

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information